D-TRUST-Root PKI Certification Practice Statement

More documents

Recommendations

Info

D-TRUST-Root-PKI Certification Practice Statement 4. Operating requirements 4.1 Certificate Application and Registration 4.1.1 Application Eligibility These provisions are specified in the Certificate Policy [CP]. 4.1.2 Registration-process and Administrative Responsibility Class 3-2 During the registration-process the applicants are made aware of the CP, the CPS and a subscriber agreement, which they must commit to observe. The documents will be published. The formal obligation follows the [ETSI-F] regulations. The application also contains the applicant’s declaration of consent stating his decision on publishing the resulting certificates. The documents are stored on paper or electronically. Class 3 EV-Certificates The declaration of consent is consistent with “Subscriber Agreement”, section 9.3 [GL-BRO]. 4.2 Processing the Certificate Application 4.2.1 Identification and Authentication The described procedures for identification and registration must be fully implemented in accordance with the provisions for the different class-categories; the necessary documents of proof must be impeccable. The CSP defines the following methods of identification and authentication: Pers-Ident An individual must personally identify himself to an RA, an official partner or an external provider that fulfills the requirements of the [CP] with his official ID (ID-card, passport or documents with equal standing) and be authenticated in turn. A valid ID-card or passport is deemed an acceptable identification document for individuals from the European Union or from states belonging to the Schengen-Agreement. Other documents with comparable status may be submitted instead. No copies of the identification documents are made or stored at the RA or CSP. Dok-Ident The pertinent contents are compared through copies (paper copies or digitalized, i.e. scanned documents or faxes) with the application data. Random samples are verified through telephone calls (compare out-of-band-mechanisms). Acceptable documents are those listed in the section Pers-Ident as well as commercial register (or comparable) excerpts no older than six months, PhD documents, documents of a postdoctoral lecture qualification, certificates of appointment, or comparable documents. Copies of the identification documents are kept either as hard-copies or in digital form. Page 21 of 53
D-TRUST-Root-PKI Certification Practice Statement Register A manual or automatic comparison is made between the application data and excerpts of the commercial register. Admissible are state registers (such as registration courts, public revenue offices, professional statutory corporations or comparable) or private registers DUNS, comparable financial databases and others). A registry excerpt can only be accepted as valid, if it does not have an attribute such as “invalid” or “inactive” attached to it. Copies of the documents are kept either as hard-copies or in digital form. Non-Register Government institutions/public corporations affirm certificate related information with an official seal and a signature. Copies of the documents are kept either as hard-copies or in digital form. HR-DB The CSP stipulates an agreement with an organization, so that data complying with the [CP] is transferred. An organization’s authorized employee or other responsible party transfers either an excerpt from the human-resource database, or the applications that have been filled out on the basis of the data from the human-resource database to the CSP. The applicable privacy laws need to be recognized by the transferring organization. The CSP relies upon the correctness and unambiguity of the transferred data. The same takes effect for certificate-requests transferred to the CSP. The applicant or subscriber must declare a formal recognition of the obligations as detailed in chapter 9.6.3 prior to the token hand-over. Digital or hard-copy evidence is kept concerning: - the transferred data, - evidence of the fact that the transferring individual is an authorized employee or the designated party for this action, - evidence, that the data was presented by an authorized employee or a designated responsible party and - evidence that the applicant or subscriber has acknowledged his duties as detailed in chapter 9.6.3 [CP]. S-affirmation The organization’s signatory affirms certificate-related information in writing. In isolated cases a digitally signed affirmation may be accepted by the CSP. The signatory power must be evident either from the publicly available organizational documentation or the supplied proof of existence. Otherwise it needs to be proved separately. Copies of the documents are kept either as hard-copies or in digital form. A-affirmation The organization’s authorized employee/responsible party or a trusted third party, such as one of the CSP’s contractual partners or a state institution like the chamber of industry and commerce affirm certain certificate-related information that is in their sphere of competence in writing. In isolated cases a digitally signed affirmation may be accepted by the CSP. Copies of the documents are kept either as hard-copies or in digital form. out-of-band-mechanisms The CSP uses out-of-band-mechanisms to verify application data. Communication paths and verification methods are chosen in such a way, that the applicant can not influence Page 22 of 53
Page 1 and 2: Publication date 13.08.2012 Effecti
Page 3 and 4: D-TRUST-Root-PKI Certification Prac
Page 21: D-TRUST-Root-PKI Certification Prac

D-TRUST-Root PKI Certification Practice Statement

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?